Editor's note: The following is a contributed piece by Valerie Charles, chief strategy officer at GAN Integrity, a compliance management software provider.
Last year marked the 40th anniversary of the Foreign Corrupt Practices Act (FCPA). In 2017, the Department of Justice (DOJ) and U.S. Securities and Exchange Commission (SEC) resolved thirteen corporate enforcement actions. Several of the companies involved are household names in the U.S. One company ended up paying fines equaling almost $1 billion. Robust enforcement against both individuals and companies continues, with no sign of slowing down.
Though some of these companies engaged in bribery schemes, compliance officers know that third parties represent the overwhelming majority of the threat to FCPA compliance.
Understandably, rigorous third-party due diligence programs have become the focus of compliance departments. Though third-party due diligence is important, monitoring third parties after initiating a relationship is also necessary. Your monitoring program could impact your decision to onboard third parties in the first place, and comprehensive monitoring could allow you to take on more high-risk third parties. A monitoring program can include annual certifications, adverse media reports, new backgrounds checks or even full audits.
In fact, being able to change the behavior of someone working for or on behalf of your company is the most effective form of mitigation. Let's explore the mitigating role effective training can have on third-party risks in particular.
Questions to ask when establishing a third-party compliance training program
Where do your third parties live?
Location should be a determining factor in what your training will include. Despite the fact that FCPA training and U.K. Bribery Act training should be delivered to most of your third parties, since these laws have global jurisdiction, local anti-bribery and corruption laws may differ from one place to another. Likewise, thresholds set for gifts and hospitality are not the same across geographies. Even cultural business practices diverge. Thus, identifying the location of your third parties should be one of the stepping stones to building out your third-party training program.
What is your third party like?
Organize your third parties when creating your compliance training program to achieve a high level of accuracy. Not all types of third parties should undergo the same type of training, just as not all in-house employees are subject to the same training program.
What do your third parties need?
Tailor your compliance training to the needs of your third parties. The most classic example is to provide content in the local language, but considering the environment of your third party is also crucial. Ask yourself: Do they have access to computers to take the training? Should your training be accessible from a specific type of device? Would on-site training work better?
Is the training relatable?
The more your third party can identify with training, the better. Including real-life scenarios that reflect his or her day-to-day tasks will resonate more with the trainee. Again, consider the third party's location and environment when creating personalized scenarios.
The implementation process
Use a centralized system
Dovetailing your due diligence and compliance training programs can be challenging. Putting technology to good use could solve your problem. Centralizing all third party-related data in one place will provide you with the overview you need to customize your training to the different third-party groups. A clear visualization of high-, medium- and low-risk third-party groups will also allow you to make the right decisions on the frequency with which you should deliver compliance training. High-risk third parties will need to take training more often than low-risk ones.
Instill compliance as a culture
Third parties are still a part of your company, so creating a culture of compliance still applies to them. Countless times, headlines have featured companies that were assumed to have — and may truly have had — a high level of transparency embroiled in corruption investigations or hit with large FCPA fines because some third party had bribed on the company's behalf in Uzbekistan or Nigeria. Managers and employees who engage with third parties in high-risk countries should make it is clear that that is not how you do business. If corrupt practices are widespread in your third party's local environment, pressure to meet performance targets might push them in the unethical direction. Sensitize your third parties to adopt the values and business ethics of your company and not the local practices.
Set up "nudge" notifications
As much as training has been stressed as the means through which policies and procedures come to life, nudging, some argue, is more effective in steering towards the right behavior. Imagine the effect reminders, notifications of policies, code of conduct or other automated messaging could have on third parties submitting exception requests or filing expense reports. This effort would require implementing integrated and automated solutions to your compliance program. The effort, however, is definitely worth your while.
Training for success
Third parties play an integral role in today's business landscape. But because these third parties are often far removed from corporate headquarters and may be working within a very different environment, compliance training is paramount. However, each third party has its own needs, so be sure to customize training for maximum efficacy. Avoiding FCPA enforcement actions will be within closer reach if you apply the best practices noted above to your compliance training programs.